[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

HTML Based Windows Authentication

Posted on 2004-10-25
17
Medium Priority
?
440 Views
Last Modified: 2013-12-24
I am trying something new with authentication and our intranet site. Basically I am dissabling our current method of authentication and moving to a Widows Based authentication (Built into IIS). The problem is our users are not always at their computers at work. Basically, what I am trying to do is replace the ugly windows username and password popup with an HTML form that does the same task. Any suggestions on how to go about this?
0
Comment
Question by:JoshDale
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
  • 2
  • +1
17 Comments
 
LVL 21

Expert Comment

by:pinaldave
ID: 12407597
Kerberos is the answer but I can clearly see that it is very complex and hard to implement.

There is some info on MS site : http://support.microsoft.com/kb/308160/EN-US/
http://support.microsoft.com/default.aspx?scid=kb;en-us;324276

Regards,
---Pinal
0
 

Author Comment

by:JoshDale
ID: 12411521
Well, I know how it works a little better. It doesn't really talk about how information is transfered via client-->server though.
0
 
LVL 7

Expert Comment

by:INSDivision6
ID: 12413014
You cannot emulate Windows authentication (NTLM) in HTML.  However, for intranet you don't need to do so at all,  as it was pointed out already.  This is because clients are authenticated already.  So, you need just handle permissions on the server.
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 

Author Comment

by:JoshDale
ID: 12413058
Yea, this is only for users that are accessing the intranet remotely. And I won't actually be using HTML, I will actually be using flash, I just thought it would be easier describing the situation using HTML.
0
 
LVL 7

Expert Comment

by:INSDivision6
ID: 12413239
If you wanna implement real built-in IIS security, it is not possible, unless you make them somehow proper login in flash, so the client's browser will run under an appropriate account.  Don't think it is possible on computers, which are not members of a domain whithout IE pop-up box.  There are Windows HTTP functions, of course, which allow "invisible" login, but we are talking just about using a browser?
0
 

Author Comment

by:JoshDale
ID: 12413431
Yes, I was just wondering if you can replace the ugly ass popup windows gives you ;o) with an HTML or Flash based login screen. This was pretty much just for aesthetic reasons, I can probably live with it... I guess... If I have to ;o).

Thanks for the help
0
 
LVL 8

Expert Comment

by:sigmacon
ID: 12414149
Josh, I have come accross a some stuff to determine the currently authenticated user from within CF, but I would have to dig for a while to find it. To be honest, I do not believe it is worth the effort JUST to make the login window look different - and they would get it anyway! If you require authentication on your pages (whether basic or integrated), then windows will get to it first and the client will display the UGLY login window.

Of course it is theoretically possible to get the user authentication information from the user thru a non-protected page, and then authenticate them against windows and forward them to the protected pages, but that would take me at least a day to find out in detail how to do that, and it would be an ugly hack deep down the windows internals, all proxied thru CF's Java layer - mind you.

One final note: In basic user http authentication, the password is sent in clear text. If you use NTLM, then CF will not access have access to the authentication (see your previous post too).

Sorry man. The best and safest way to login people is to use SSL for the transport, and whatever your backend authentication databases is, whether SQL, LDAP, or - with the proper hooks, Active Directory or the machine-local user database.
0
 

Author Comment

by:JoshDale
ID: 12414720
Actually, I have been putting alot of thought into this, couldn't I just use CGI variables to check the current user (if they are logged on locally through our domain). I could then run a check to see if the user is logged in and if they aren't I could then throw them the login page.
What do you think of this?
0
 

Author Comment

by:JoshDale
ID: 12414851
I am looking at the CGI variable list and came up with these:
CGI.Auth_Password (I would assume this is to see what password the user used when they used Basic Windows Auth correct?)
CGI.Auth_User (I would also assume this is based on Basic Windows Auth)

CGI.Remote_Addr (I could get this information and if the users ip isn't within a certain range 192.168.0.0 - 192.168.255.255 I can throw the login page)
CGI.Logon_User (Can I use this without Basic Authentication to see the username of the person accessing the site?)

Sorry, I am relatively new to CF still. The descriptions for some of these vars are sort of vague.
0
 
LVL 8

Expert Comment

by:sigmacon
ID: 12414918
You can determine the logged-on user thru CGI variables, IF they logged on already, that means, AFTER they saw the login-in screen - if if they are at your office. And you page will not be executed UNLESS they logged on.
0
 
LVL 8

Expert Comment

by:sigmacon
ID: 12414941
its supposed to say: AFTER they saw the login-in screen - OR if they are at your office

You could do anything you want with any of those values. But what I said in my last comment still applies.
0
 

Author Comment

by:JoshDale
ID: 12414969
What I am thinking is I can check a number of things in this order.

1. Cookie         If they have been logged in before, I can use a cookie to store their information.
2. Username    Check to see if their username matches that of what is on the database.
3. IP Address   Check to see if their ip address matches that of our company scope.

if NOT

Send the user to the login page regardless.
0
 
LVL 8

Expert Comment

by:sigmacon
ID: 12415021
Josh, I think we are not talking about the same thing. You said you wanted to get rid of the "ugly" login/authentication popup that external users get when they connect to your website? If that's so, then YOU WILL NOT BE ABLE TO DO ANYTHING IN COLDFUSION AT THIS POINT, BECAUSE CF HAS NOT EVEN BEEN CALLED YET. If that's not the problem you have, please describe what you are trying to do more specifically.
0
 

Author Comment

by:JoshDale
ID: 12415160
That was, but I was revaluating the solution. Instead of using Windows Authentication, why don't I just get the users information and use that to authenticate the user; for example Username and IP Address. I can check to see if the Username matches one in the system, if so, I can then check to see if the users IP Address is within the acceptable range. If any of those conditions fail, I just pass a login page to them. This way, the user doesn't have to login if they are in our local domain but would have to under all circumstances.
0
 
LVL 8

Accepted Solution

by:
sigmacon earned 2000 total points
ID: 12415231
You would be 1000% safer with your first approach, because it's not home-grown and also protects your entire website. To compromise security just to get rid of some popup window does not seem balanced. Authenticating based on IP address is always a bad idea, because they could be spoofed. But if the convenience is more important, then your approach is definitely viable. I hope I could be of some help.
0
 

Author Comment

by:JoshDale
ID: 12415422
IP Address and Username
0
 

Author Comment

by:JoshDale
ID: 12415642
Wow, I just had the biggest brail lapse of all time. I just remembered God invented cookies for a reason right???

Thanks for the help sigmacon.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever sent email via ColdFusion and thought of tracking this mail to capture the exact date and time when the message was opened ?  If yes, then this article is for you ! First we need a table user_email with columns user_id , email , sub…
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question